WordPress IPTables

Please note, this is a working document. If you see anything thats missing, or needs more info..please do let me know

We really don’t want much in the way of outbound traffic coming from File our WordPress install. Malicious scrips and plugins will try to “phone home” or potentially deny someone else’s webserver of service, or possibly download more malicious scripts to be used on your website.

Unfortunately, in some cases we *want* wordpress to connect outbound, for example in the case of installing new plugins.

Now, if you want to install your plugins and themes manually you don’t need to do any of this, you can just upload the zip file onto your webserver, and unzip it into the wp-content/plugins directory. However, in the event that you want to search and install plugins from the dashboard, here’s how you can configure iptables.

The following assumes that your default firewall policy is to DROP outbound packets (OUTPUT -P DROP)

During my logging, it seems that the dashboard uses the same host/IP address when querying plugins (66.155.40.250) which does indeed have a wordpress PTR record (250.40.155.66.in-addr.arpa domain name pointer wordpress.org.) and when used in the browser resolves to wordpress.org. We need to allow outbound packets on port 80 from our server to this ip address.

Personally, I wanted to keep it a little tidier so created a new chain for wordpress (OUTPUT_WP) and Year added it there.

*UPDATE*

Turns out WordPress will try port 80 first (http) and then fall onto port 443 (https). Seeing as SSL is much more desirable in this context, we can actually allow to the destination port (–dport) 443.

Also, it would seem that WordPress have more ip addresses in that range, and although it will still work with just the one IP address..seems to make sense to Markierung allow it to failover onto another quickly enough. I’ll add more of these as time goes by.